Re: How to configure DH groups for TLS 1.3
Hi Dominik, On Thu, 2 May 2024 at 17:14, Froehlich, Dominik wrote: The closest I’ve gotten is the “curves” property: https://docs.haproxy.org/2.8/configuration.html#5.1-curves However, I think it only restricts the available elliptic curves in a ECDHE handshake, but it does not prevent a TLS 1.3 client from selecting a non-ECDHE prime group, for example “ffdhe8192”. [snip] While Lukas answered the specific question better than I could, does the hardening guide you're following happen to be a public resource in general? Good public guidelines on the topic is very sparse [1], and I'd be interested in these if they exist somewhere, if only out of curiosity. Regards, Tristan [1]: Or often essentially nonexistent, short of reading dozens of papers off arxiv, of which the majority seem to focus on PoCs rather than practical advice
Re: How to configure DH groups for TLS 1.3
On Thu, 2 May 2024 at 19:50, Lukas Tribus wrote: > > On Thu, 2 May 2024 at 17:14, Froehlich, Dominik > wrote: > > The closest I’ve gotten is the “curves” property: > > https://docs.haproxy.org/2.8/configuration.html#5.1-curves > > > > However, I think it only restricts the available elliptic curves in a ECDHE > > handshake, but it does not prevent a TLS 1.3 client from selecting a > > non-ECDHE prime group, for example “ffdhe8192”. > > If I understand the code correctly, both nginx and haproxy call > SSL_CTX_set1_curves_list(), what exactly makes you think that haproxy > does something different? More to the point: curve and group is the same exact thing in openssl: https://www.openssl.org/docs/man3.0/man3/SSL_CONF_cmd.html > -curves groups > This is a synonym for the -groups command. https://www.openssl.org/docs/man3.0/man3/SSL_CTX_set1_curves.html > The curve functions are synonyms for the equivalently named group functions > and are identical in every respect. They exist because, prior to TLS1.3, > there was only the concept of supported curves. In TLS1.3 this was renamed to > supported groups, and extended to include Diffie Hellman groups. The group > functions should be used in preference. https://github.com/openssl/openssl/issues/18089#issuecomment-1096748557 > In TLSv1.3 the old "supported_curves" extension was renamed to > "supported_groups". This renaming has been followed through to the OpenSSL > API so that SSL_CTX_set1_curves_list is synonymous with > SSL_CTX_set1_groups_list, and the the -curves command line argument is > synonymous with -groups. So in the above issue you are not just constraining > the EC curves - you are constraining all the groups available for use in > TLSv1.3. This includes FFDH groups - so the above configuration prevents > either ECDH or FFDH being used in TLSv1.3. Setting openssl curves (groups) via SSL_CTX_set1_curves_list just like nginx does is supported since Haproxy 1.8: https://github.com/haproxy/haproxy/commit/e7f2b7301c0a6625654056356cca56853a14cd68 Lukas
Re: How to configure DH groups for TLS 1.3
On Thu, 2 May 2024 at 17:14, Froehlich, Dominik wrote: > The closest I’ve gotten is the “curves” property: > https://docs.haproxy.org/2.8/configuration.html#5.1-curves > > However, I think it only restricts the available elliptic curves in a ECDHE > handshake, but it does not prevent a TLS 1.3 client from selecting a > non-ECDHE prime group, for example “ffdhe8192”. If I understand the code correctly, both nginx and haproxy call SSL_CTX_set1_curves_list(), what exactly makes you think that haproxy does something different? Lukas
Re: How to configure DH groups for TLS 1.3
I'd try openssl.cnf чт, 2 мая 2024 г. в 17:17, Froehlich, Dominik : > Hello everyone, > > > > I’m hardening HAProxy for CVE-2002-20001 (DHEAT attack) at the moment. > > > > For TLS 1.2 I’m using the “tune.ssl.default-dh-param” option to limit the > key size to 2048 bit so that an attacker can’t force huge keys and thus > lots of CPU cycles on the server. > > > > However, I’ve noticed that the property has no effect on TLS 1.3 > connections. An attacker can still negotiate an 8192-bit key and brick the > server with relative ease. > > > > I’ve found an OpenSSL blog article about the issue: > https://www.openssl.org/blog/blog/2022/10/21/tls-groups-configuration/index.html > > > > As it seems, this used to be a non-issue with OpenSSL 1.1.1 because it > only supported EC groups, not finite field ones but in OpenSSL 3.x it is > again possible to select the vulnerable groups, even with TLS 1.3. > > > > The article mentions a way of configuring OpenSSL with a “Groups” setting > to restrict the number of supported DH groups, however I haven’t found any > HAProxy config option equivalent. > > > > The closest I’ve gotten is the “curves” property: > https://docs.haproxy.org/2.8/configuration.html#5.1-curves > > > > However, I think it only restricts the available elliptic curves in a > ECDHE handshake, but it does not prevent a TLS 1.3 client from selecting a > non-ECDHE prime group, for example “ffdhe8192”. > > > > The article provides example configurations for NGINX and Apache, but is > there any way to restrict the DH groups (e.g to just ECDHE) for TLS 1.3 for > HAProxy, too? > > > > > > Best Regards, > > Dominik >